Jump to content

Warning: htmlspecialchars() expects parameter 1 to be string, array given

benanamen

By benanamen
in PHP Coding Help

 Share

Recommended Posts

benanamen Prolific Member

benanamen

Posted
Posted (edited)
Here is a problem I have never run accross. The code will demonstrate. I have two sets of first/last name arrays to enter to DB and one non array random required field.

 

On submit with empty random field, required error displays as should, but array fields get error:

 

Warning:  htmlspecialchars() expects parameter 1 to be string, array given. Not sure how to handle this. Google not much help.

 

 

PART 2

 

Assuming first problem has been fixed, I want to require at least one first and last name. (Think Husband and wife, only need one minimum) How would I go about requiring just one first/last name set? 

 




<?php

        echo "<pre>";

        print_r($_POST);

        echo "</pre>";


if ($_SERVER['REQUEST_METHOD'] == 'POST')

    {

    //------------------------------------------------------------------------------------

    // Check Missing Fields

    //------------------------------------------------------------------------------------

    $error = array();

    if (empty($_POST['random']))

        {

        $error['random'] = 'Random Field Required.';

        }


    //------------------------------------------------------------------------------------

    // Check for errors

    //------------------------------------------------------------------------------------


    if ($error)

        {

        $error = implode("<br >\n", $error) . "\n";

?>

<div class="row">

    <div class="col-md-offset-2 col-md-8">

        <div class="error_custom"><?= $error ?></div>

    </div>

</div>

<?php

        }

    else

        {

        //Insert to DB

        }

    } // End POST

?>


<!DOCTYPE html>


<html>


<head>

  <title>Hello!</title>

</head>


<body>


<form class="form-horizontal" action="<?= $_SERVER['SCRIPT_NAME'] ?>?p=<?= $_GET['p'] ?>" method="post">


<div class="form-group <?= !empty($error['name_first'] ) ? 'has-error' : '' ?>">

   <label class="col-md-4 control-label" for="name_first">First Name <span style="color: #FF0000;">*</span></label>

   <div class="col-md-4">

      <input id="name_first" name="name_first[]" type="text" placeholder="First Name" class="form-control input-md" value="<?= !empty($_POST['name_first']) ? htmlspecialchars($_POST['name_first']) : '';?>">

   </div>

</div>



<div class="form-group <?= !empty($error['name_last'] ) ? 'has-error' : '' ?>">

   <label class="col-md-4 control-label" for="name_last">Last Name <span style="color: #FF0000;">*</span></label>

   <div class="col-md-4">

      <input id="name_last" name="name_last[]" type="text" placeholder="Last Name" class="form-control input-md" value="<?= !empty($_POST['name_last']) ? htmlspecialchars($_POST['name_last']) : '';?>">

   </div>

</div>



<div class="form-group <?= !empty($error['name_first'] ) ? 'has-error' : '' ?>">

   <label class="col-md-4 control-label" for="name_first">First Name <span style="color: #FF0000;">*</span></label>

   <div class="col-md-4">

      <input id="name_first" name="name_first[]" type="text" placeholder="First Name" class="form-control input-md" value="<?= !empty($_POST['name_first']) ? htmlspecialchars($_POST['name_first']) : '';?>">

   </div>

</div>



<div class="form-group <?= !empty($error['name_last'] ) ? 'has-error' : '' ?>">

   <label class="col-md-4 control-label" for="name_last">Last Name <span style="color: #FF0000;">*</span></label>

   <div class="col-md-4">

      <input id="name_last" name="name_last[]" type="text" placeholder="Last Name" class="form-control input-md" value="<?= !empty($_POST['name_last']) ? htmlspecialchars($_POST['name_last']) : '';?>">

   </div>

</div>


<!-- Text input-->

<div class="form-group <?= !empty($error['random'] ) ? 'has-error' : '' ?>">

   <label class="col-md-4 control-label" for="random">Random Required <span style="color: #FF0000;">*</span></label>

   <div class="col-md-4">

      <input id="random" name="random" type="text" placeholder="Random" class="form-control input-md" value="<?= !empty($_POST['random']) ? htmlspecialchars($_POST['random']) : '';?>">

   </div>

</div>


<div class="form-group">

   <div class="col-md-offset-4 col-md-4">

    <input type="submit" name="submit" value="Submit" class="btn btn-primary">

   </div>

</div>


</form>


</body>

</html>

Edited by benanamen
Link to comment
Share on other sites
Jacques1 Prolific Member

Jacques1

Posted
Posted (edited)

Your name_first and name_last parameters are arrays, but you cannot apply htmlspecialchars() directly to an array. PHP wouldn't even know which of the two values you mean. You have to explicitly reference them:

$_POST['last_name'][0]   // last name from first set
$_POST['last_name'][1]   // last name from second set

It might actually make more sense to swap the indexes:

name="name[0][first]"
name="name[0][last]"

...

name="name[1][first]"
name="name[1][last]"

Now there are two associative arrays, each containíng a first and a last name.

 

There's no special function for checking if one of the two array values is set. Use plain conditions.

 

Your code is also vulnerable to XSS:

  • $_GET['p'] is dropped into the markup with no protection whatsoever.
  • htmlspecialchars() without any flags and any character encoding is dangerous. It could work out, but it could also fail miserably. You should always specify the character encoding and at least set the ENT_QUOTES flag.
Edited by Jacques1
Link to comment
Share on other sites
benanamen Prolific Member

benanamen

Posted
  • Author
Posted
You have to explicitly reference them:

 

 

Perfect! That did the trick. 
 
 
Your code is also vulnerable to XSS:
$_GET['p'] is dropped into the markup with no protection whatsoever.
htmlspecialchars() without any flags and any character encoding is dangerous. It could work out, but it could also fail miserably. You should always specify the character encoding and at least set the ENT_QUOTES flag.

 

 

 
Thanks, but I am quite aware of that. The code is just a quick example to demonstrate the specific problems mentioned.
 
The $_GET['p'] is on the TODO LIST and relates to a previous discussion you and I had on ways to "encrypt" the url to stop id # changes.
 
The code was  cut from a page that has not been updated per your suggestions from another post. All other pages have been updated as such:
 
<?= !empty($note) ? htmlspecialchars($note, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8') : '';?>
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.